[Phplogcon-dev] not allow certain files to be access

Michael Meckelein mmeckelein at hq.adiscon.com
Wed Dec 7 15:49:49 CET 2005 

Brian, 

This approach works only in a linux environment. Note that Windows uses
\ instead linux's / for directory browsing.

E.g. file in 
- windows: c:\webserver\phplogcon\config.php
- linux: /var/www/phplogcon/config.php

Furthermore, I have to admit that I am not aware of an actually security
issue by accessing those file directly via url. Of course it is not
intended to call files like config.php directly. To prohibit accessing
files directly which are not intended to access directly is of course a
good security concept. But maybe I oversee a security issue with the
current (without your check) approach?

Michael

> -----Original Message-----
> From: phplogcon-dev-bounces at lists.adiscon.com [mailto:phplogcon-dev-
> bounces at lists.adiscon.com] On Behalf Of Brian Shea
> Sent: Wednesday, December 07, 2005 6:36 AM
> To: phplogcon-dev at lists.adiscon.com
> Subject: Re: [Phplogcon-dev] not allow certain files to be access
> 
> Michael, here is the code section that will disallow access to php
files
> from the URL.
> 
> It basically looks at the file name in the $_SERVER[script_name] to
see if
> it mathces itself.
> 
> // BGS -- do not allow access from URL
> $filename =  substr(__FILE__, strrpos( __FILE__, "/" ));
> $requestname = substr($_SERVER['SCRIPT_NAME'], strrpos(
> $_SERVER['SCRIPT_NAME'], "/" ));
> 
> if( $filename == $requestname )
> {
>     session_unset();
>     header("Location: ../index.php");
>     exit;
> }
> // BGS end
> 
> 
> 
> On 12/6/05, Brian Shea <bgshea at gmail.com> wrote:
> >
> > The code is just below the GNU license marked with
> >
> > // BGS --
> >
> > // BGS end
> >
> > the first section is the trailing '/' (slash) removal, the second
> section
> > is the diss allow. I dont have the code in front of me to look at.
> >
> >
> > On 12/6/05, Michael Meckelein <mmeckelein at hq.adiscon.com> wrote:
> > >
> > > Hi Brian,
> > >
> > > I need your help. Please can you point me to where I can find the
> > > following modification?
> > >
> > > > added php code to not allow certain files to be access by the
> > > > URL!!! esp. include.php and config.php
> > >
> > > Thank you.
> > >
> > > Best regards,
> > > Michael
> > > _______________________________________________
> > > Phplogcon-dev mailing list
> > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > >
> >
> >
> _______________________________________________
> Phplogcon-dev mailing list
> http://lists.adiscon.net/mailman/listinfo/phplogcon-dev

More information about the Phplogcon-dev mailing list